Eric Paris wrote:
On 12/11/07, Johnny Tan linuxweb@gmail.com wrote:
Stephen Smalley wrote:
On Mon, 2007-12-10 at 17:14 -0500, Johnny Tan wrote:
Stephen Smalley wrote:
Then I tried: semanage port -a -t mysqld_port_t -p tcp 1186
What does semanage port -l | grep 1186 show afterward?
# semanage port -l | grep 1186 mysqld_port_t tcp 1186, 3306
What do you mean by "didn't work", i.e. same avc message repeated afterward upon subsequent attempts to connect?
type=AVC msg=audit(1197324654.830:1482): avc: denied { name_connect } for pid=20484 comm="mysqld" dest=54859 scontext=root:system_r:mysqld_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1197324654.830:1482): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=1972e194 a2=10 a3=4504aedc items=0 ppid=20385 pid=20484 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=pts1 comm="mysqld" exe="/usr/libexec/mysqld" subj=root:system_r:mysqld_t:s0 key=(null)
Hmm...that's a bug then - that should work, and seems to work for me on Fedora 7.
I can file a bugzilla. But do you know if these types of changes get backported into RHEL? They're technically not security exploits so I'm guessing "no".
Actually, isn't that AVC saying the port you are connecting to is 54859, not 1186?
You're right. I just saw the name_connect and assumed it was 1186 again. It seems it only connects to the cluster manager on port 1186. Once that's successful (which it now is with the semanage rule above), it then makes a connection to every node in the cluster, using ports in the ephemeral port range.
And it's those extra node connect attempts that are being denied. There's one denial for every single cluster node. (I didn't look closely, and thought those were simply multiple denials for the 1186 connect.)
So, my two follow-up questions are:
1) Is there a better way to allow mysqld to connect to the cluster nodes besides just allowing mysqld to make any tcp connect?
2) If this is changed to the correct behavior in the future, is this something that Red Hat would backport into existing RHELs, like RHEL-5?
johnn